What's the difference between a CPACF and a crypto express?

My colleague Tony Sharkey wrote the following words for a customer. I thought it was worth sharing them

z Machines (z13) these days have:

4 drawers,
Each drawer has 2 nodes
Each node has 3 memory chip modules (MCM)
Each MCM has between 6-8 processors, which can be configured as GP’s, zIIP, IFL etc

Each processor also has a CPACF (Central Processor Assist Crypto Function)
- This changed on zEC12 (prior to that, it was 1 CPACF per 2 processors)

The CPACF processor: is used for encryption, decryption and hashing and supports a ‘special’ instruction set. The instructions are used by System SSL (GSKit) of which MQ (and MQ AMS) exploits these.
They must be enabled (feature #3863).
Work run on CPACF is charged to the owning Address Space
Work is run in series – i.e. either GP or CPACF is doing work – not in parallel.
- on zEC12 onwards, this means no waiting for the CPACF processor..

MQ can run SSL channels which are secure using just GP’s (and CPACF).

CryptoExpress cards
However there are CryptoExpress (CEX) cards which can be added to offload (some) of the cost of cryptography.
CEX cards can be configured as co-processors or accelerators or PKCS processors.

Each card has a number (8?) processors that can be configured for different purposes

MQ can use either co-processors or accelerators. We have been given guidance than the accelerator is more optimal for MQ’s purposes.

MQ (as it uses System SSL) can only offload secret key negotiation to the CEX card, i.e. at channel start and when SSLRKEYC trigger is met.

In reality, some part of the key negotiation will be performed on GP (and CPACF) regardless of CEX availability.

MQ does not need CEX to run – it can work perfectly well with just GP (and CPACF), but you will see increased cost relating to secret key negotiation, and this may have an impact on what else the processors can do.